Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

How Digital Disruption Can Threaten Disaster Recovery Planning

John Gelinne

Within minutes, airlines can deliver news to their customers’ mobile devices that flights have been cancelled. Yet, recent computer system outages in the industry have shown that it can take hours or even days to restore normal flight operations and get travelers back on their journey. Such events can be costly to a company’s brand and reputation, and often quickly escalate to the C-suite or board level, particularly in light of customers, media and other stakeholders who expect immediate answers and quick fixes.

Businesses most at risk are those that rely mainly on traditional disaster recovery and business interruption planning. “Legacy disaster recovery programs are based on the principle of redundancy, which rely on a network of expensive backup systems as the primary solution,” says John Gelinne, Advisory managing director, Cyber Risk Services, Deloitte & Touche LLP. “The challenge now is that there are many points of digital disruption to today’s business models, and redundancy alone addresses only one part of the needed solution,” Mr. Gelinne adds.

Redundancy does not, for example, address the many legacy systems that have become too expensive or outdated to help support current technology risks. “Organizations are grappling with the consequences of burdensome recovery methods that are costly and inefficient,” says Pete Renneker, Advisory senior manager, Cyber Risk Services, Deloitte & Touche LLP. Further, the increase in major outages, such as those in the airline industry, are occurring against the backdrop of a digital era where the customers and business partners have come to expect technology to be ubiquitous and ‘always on’. “As a result, new technologies and increased customer expectations require a new approach. Pursuing a technical resilience program can reduce both the likelihood and impact of technology disruptions,” adds Mr. Renneker.

Pete Renneker

Shifting Away from Traditional Recovery Planning

Despite advances in virtualization, cloud computing and other technologies which better support resiliency, the basic disaster recovery model has not changed in recent decades. The typical scenario is: disaster strikes, a decision is made to invoke the plan and a team springs into action to recover from disruption. And while installing traditional redundant backup systems can help mitigate the impact of physical disruptions, redundancy tends to be expensive and ignores higher-probability events, such as data corruption or cyberattacks.

More worrying, without proper safeguards in place, redundancy solutions which replicate data in nanoseconds can actually propagate malicious software to backup environments, resulting in equally corrupted recovery systems. Another complication with traditional disaster recovery is its focus on scenario planning. With increasingly complex cyber events, it is unlikely organizations can develop a plan for every scenario in an ever-changing digital environment. “As a result, traditional disaster recovery programs can be costly, antiquated and ineffective, while often amplifying risk instead of mitigating it,” says Mr. Renneker.

As business reliance on technology increases, organizations should consider shifting to a strategy that doesn’t wait for a crisis to hit, but instead embodies an “always-on” approach that today’s customers expect, one that continually monitors and tracks potential risks. The “always-on” approach can be especially important for fast-growing digital business processes—such as with online travel booking services—in which revenue is driven entirely through technology. The objective of an effective technical resilience program is to avoid disruption by focusing on proactive measures, innovative architecture design and operational excellence.

“Ideally, the technical resilience process begins before there is an indication of a disruption or cyberattack,” explains Mr. Gelinne. If implemented correctly, this process draws in customer experience metrics, risk sensing and third-party intelligence to help inform decisions. Conversely, traditional disaster recovery measures tend to focus on recovery time objectives, recovery point objectives and service-level agreements for needed backup support. “As downtime and data loss become increasingly unacceptable, some disaster recovery metrics are becoming increasingly problematic,” adds Mr. Gelinne.

Technical Resilience at Work

Launching a resilience strategy often requires a shift in the thinking on the part of executive leadership. Leaders may want to stop treating adverse events as anomalies that require separate risk management programs and begin thinking about digital disruption as higher-probability, higher-impact events that require risk ownership across the enterprise.

An example of technical resilience in practice is how the U.S. military builds resilience into its platforms. U.S. Navy surface ships are designed from the keel up to continue their mission despite damage. That means in a worst-case scenario, in which a ship is hit by a missile, automated sensing systems respond to a loss of power and steering, as well as a loss in information exchange between sensors and weapon systems by activating immediate “trips” to safe alternate systems. Many of these same design attributes can be used to address risks within the digital business ecosystem. Implementing design standards that include zero-touch environments and zero-trust networks can help protect the spread of malicious software from infected servers to recovery servers.

To be technically resilient requires a fundamental shift from traditional reactive business continuity/disaster recovery solutions to more proactive capabilities. Combining relevant customer experience metrics with risk sensing and other design attributes can drive more informed decisions and pre-emptive system failover. Instilling the concepts of automation, agility and scalability into design requirements can drive the adoption of cloud-based environments and secure recovery capabilities, which will allow the business to overcome disruptions and continue to meet increasing “always on” expectations. It will provide the ability to achieve rapid restoration from the higher probability disruption challenges, like cyberattacks, that businesses currently face.

Questions to Consider

Prevention and detection of digital disruptions remain elusive for many organizations that rely solely on traditional methods of disaster recovery. However, technical resilience programs can provide organizations with the ability to withstand disruptions to IT capabilities that support critical business operations.

Following are questions for board members and C-suite executives to consider asking their technology, cybersecurity and risk teams about technical resilience and the role it can play in their organization.

—Does the organization’s current disaster recovery capability allow for recovery from a cyber incident (e.g. ransomware)?

—Does the organization’s business model require 24×7 availability, and if so, does the current disaster recovery capability meet that requirement?

—How much does the organization spend on redundant data centers and technologies? Is the organization getting the best return on that investment?

—When was the last time the organization had to switch to its redundant data center? What was the outcome?

—Does the organization understand how to recover critical technology interdependencies? Does it understand what interdependencies exist?

“Building technical resilience requires a new methodology and approach that takes into account increasingly complex end-to-end digital business processes,” says Mr. Gelinne. “If implemented correctly, it can help minimize the probability and impact of technology disruptions while reducing costs and improving an organization’s risk posture,” he adds.

Related Deloitte Insights

The life sciences and health care industry is still in the early stages of addressing gaps in cybersecurity. Mark Ford, Deloitte Risk and Financial Advisory principal and leader of the Life Sciences & Health Care Cyber Risk Services for Deloitte & Touche LLP, discusses some key challenges to protecting the industry against cyber risk and steps to address the challenges, including making products and services more secure, getting the right talent in place, and raising cyber awareness among management and boards.

When corporations manage data intelligently, they not only can avoid security breach scenarios, but also enhance their reputations and power performance. Indeed, the developments associated with increased security risks also create opportunities for new solutions. Learn how organizations that view the business landscape through such a lens can continue to reap the benefits generated by technology and digital by consciously taking on and managing risk when it creates value for their businesses.

Health care is moving at the speed of light, and that requires leaders to be agile as they tackle current and emerging issues. Steve Burrill, vice chairman, U.S. Health Care Providers leader, Deloitte LLP, discusses key themes that emerged from interviews of 20 CEOs from large U.S. health systems regarding what’s top of mind and how they are moving forward in an uncertain market. He also discusses strategies health system and hospital leaders can consider to operate more effectively.

Views & Analysis

Although board seats don’t become available all that often, as more organizations broaden their definition of diversity the pool of potential candidates is expanding. What does it take to land such a spot? Industry and international experience, a knowledge of risk and technology issues, and personal traits that range from intellectual curiosity to unassailable integrity are just some of the qualities and qualifications that matter. Learn how to assess your viability and what steps you might take to enhance your appeal to search committees.

Continued uncertainty about the economy and increased regulation across several industries have required a more informed and efficient use of capital. Working with management, the board of directors can play a fundamental role in the capital allocation process through its oversight function, including participating in strategy development, examining risks, comparing strategy to results and focusing on key investment terms. Understand how boards can help guide the capital allocation process by challenging business plans and strategy, and reviewing capital allocation alternatives, among other efforts.

As proxy season approaches, several governance issues and proposals are likely to emerge, reflecting shareholders’ increased attention to how companies’ stances on governance matters can impact shareholder value, according to Carol Schumacher, who has held roles as investor relations (IR) officer and corporate affairs officer at a Fortune 10. She discusses shareholders’ expectations for the governance information that management provides, and what IR can do to help companies respond, in a conversation with Sanford Cockrell III, U.S. national managing partner, CFO Program, Deloitte LLP.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.